Azure Rights Management: Logging and all that it enables

I know you're all fed up with "Happy New Year" but I will offer such wishes anyway! In 2014 protecting your information will (should) be at the top of your list. Unlike the 3 or so weeks of drinking 64 oz of water and exercising daily for 30 minutes, this is one promise that we're all expected to be better about. With this in mind, the next few posts will be dedicated to 'tracking' your important documents. One often ignored aspect of RMS is the ability to mine (quite impressive) logs for hits of things not being 'quite right'. Said differently, even the practice of using RMS on "somewhat sensitive" documents with a "Your Company — All employees" will yield a goldmine of very impressive usage data. At Microsoft we often send out "vision" documents, memos, etc with RMS protection so that we (the document owners, area leaders) can get a sense of the readership. Logs don't lie. Today's post was co-authored with Amrita, our logging expert. Enjoy.

PS: Though this post is focused on Azure RMS, the AD RMS offering has wonderful SQL logs too so similar sentiments apply… especially the next post on how to use the new Microsoft "Power BI" to produce fantastic reports.

————————————-

Hi, Amrita here, Let's talk logging! Using the usage logging feature in Microsoft Rights Management Service (Azure RMS), with a few simple steps you can capture and view logs for every administration action and request for your protected content to Microsoft Rights Management as soon as it happens.

This information is useful for a variety of reasons:

Analyzing data access for business insight. Using these logs, you can create reports and drive insights such as: who is accessing your sensitive data, what devices are being used for access, which locations are your users accessing data from, and report on which users have read a given document.

Monitoring for abuse. You can access your logs in near-real-time (delay: < 15 minutes). This allows you to continuously monitor usage of your Microsoft RMS assets. You know your employees best, and are uniquely qualified to identify any abuse patterns. For example, your tenant administrators may want to be alerted if there is a spike in access of your assets after business hours (why someone is trying to open lots of critical documents in a short time), or if the same user is accessing from two different IP addresses within 15 minutes (are my passwords compromised), or if someone is trying to read your content from a remote location (we don’t have any staff there).

Performing Forensics. When there is an information leak, the top two questions are:

Who recently accessed the specific document that got leaked?

What information did a specific user access recently?

With the Azure RMS architecture, you can save and share documents with any number of great tools: email, O365, consumer cloud storage services such as SkyDrive or DropBox, USB drives, and others, but you remain in control of who can access these docs. Any time someone wants to open and read a document protected with Microsoft RMS, strong encryption keeps your document safe until the user can prove their identity and that they have authorization to use the doc. The logging service helps you verify and track all access to your documents, so you feel safe sharing your data.

The following sections provide instructions on how to opt in for receiving your tenant logs. The Microsoft Rights Management Service can write log records for each transaction as part of the basic service price. All you have to do is provide a Windows Azure storage account to store the logs. You can decide how much history of logs to pay for, or move data into your on-premises BI tools and prune your Azure storage costs.

Step – By – Step Guide

Step 1: Understanding the Pre-requisites

To exercise the Usage Logging feature, the pre-requisites are as follows:

Pre-requisite

Description

An IT-managed Microsoft Rights Management service subscription

You must have a Microsoft RMS subscription managed by your organization. Organizations that use the free ‘RMS for Individuals’ offer cannot get logs.

A Windows Azure subscription

You must have a subscription for Windows Azure and sufficient Azure storage to store your logs. For testing purposes, you can subscribe for a free Windows Azure 1-month trial.

Step 2: Set up a Windows Azure Storage

As previously outlined, the Microsoft Rights Management service writes logs to a Windows Azure storage account that you provide. We recommend you set up a dedicated storage account for the Microsoft RMS logs. You will need to share the storage account keys with the Microsoft Rights Management service, and potentially with other users in your organization that report on your logs.

Select STORAGE in the left pane and click NEW at the bottom of the screen. Select STORAGE and QUICK CREATE.

4. Type a unique name for your storage account URL,for example “rmsbilogs” for our fictitious company RMSBI Corporation, and select a location corresponding to the location of your RMS tenant, North Europe in our case. Click CREATE STORAGE ACCOUNT. Wait for Windows Azure to create your account. Once complete, you will see an Online status.

5. Click MANAGE ACCESS KEYS at the bottom of the screen. A Manage Access Keys dialog pops up and shows your primary and secondary access keys. Copy the primary access key to the clipboard, you will need this in the next step.

Step 3: Install Windows PowerShell for Rights Management

You will use the cmdlets of the Windows PowerShell for rights management to configure and manage your Microsoft RMS log. If you haven’t already done so, follow the instruction Install Windows PowerShell for rights management to download and configure Windows PowerShell for rights management.

Step 4: Configure Storage Account and Enable logging

To configure Microsoft RMS to log to the Windows Azure storage account:

1. Open an elevated Windows PowerShell command prompt.

2. Import the Microsoft Rights Management module for Windows PowerShell and connect to Azure RMS by typing the following commands.

4. Run the following commands to specify the Azure RMS where you want your logs. Replace the example access key in the ConvertTo-SecureString cmdlet with the storage access key that you copied from the Windows Azure management portal in step #2->#5 above. Replace the example storage account “RMSBILogs” with your real storage account name.

From this point onwards the Microsoft Rights Management service will log all requests served on behalf of your tenant to your storage account. Logs before this point are not available.

Step 5: Verify logs

You can verify the availability of logs by logging in to the Azure management portal. The logs should be available within 15 minutes.

How to Access and Use your RMS Logs

The storage account that you created for your RMS logs is like a mailbox and supports direct reading from the storage account. However this is not the optimal way to access it. For best performance and reduced costs, we recommend that you download the logs to local storage such as a local folder, database, or a map-reduce repository. You can access your logs in many different ways. Here are some commonly used methods:

Using Windows PowerShell Cmdlet

This is the simplest way to access your logs. The Get-AadrmUsageLog cmdlet downloads each blob as a file to the location you specify. You may analyze these files locally or import them into a database or Hadoop storage to do some serious crunching. For example:

To download all available logs to your E:logs folder: Get-AadrmUsageLog -Path “e:logs”

Using Windows Azure Storage SDK

In some situations you may want more flexibility than Get-AadrmUsageLog provides. For example, you may need to delegate the downloading of logs to a person or process that cannot have your Microsoft RMS administrative credentials. Or you may want to poll for logs in real time in order to monitor abuse. In such situations,you can retrieve the logs by directly using the Windows Windows Azure Storage SDK.

Using Microsoft Power BI

Using Microsoft Power BI you can connect to your Azure storage account directly and download the data to Excel. Now with the new Excel features such as Power View and Power Map, you can generate cool charts from your logs within minutes. In the next blog, we will see how to create RMS reports using Power BI. Stay tuned!

How to Interpret your RMS Logs

RMS writes logs to your Windows Azure storage account as a series of blobs. Each blob contains one or more log records, in W3C extended log format. The blob names are numbers, in the order in which they were created. Use the following information to help you interpret the RMS logs.

You will see this only if you brought in your own key (BYOK). RMS logs this when your key is used for signing – typically once per one time per AcquireLicence (or FECreateEndUserLicenseV1), Certify, and GetClientLicensorCert (or FECreatePublishingLicenseV1).

Frequently Asked Questions

1. Is the Microsoft RMS logging format similar to AD RMS?

Answer: The logging format is different from ADRMS and there are fewer fields logged so that downloading logs over the network is practical.

2. Do the logs also contain interaction from mobile devices?

Answer: Yes

3. Is it possible to identify protected documents with their names instead of content-id?

Answer: Currently we just support content-id.

4. Can I track document usage using the logs?

Answer: Yes, you can. I will show how to do this using Power BI in my upcoming blogs – check back in a few weeks!

What’s Next…?

This blog hopefully provided you with an overview of how useful the Microsoft RMS logs are, and how to get started with using your RMS logs. You can also find more information on TechNet: Log and analyze rights management usage.

In the next blog, we will see how to easily create cool RMS reports using Power BI. Stay tuned!

Recent Posts from EMS Leaders

Howdy folks, I’m excited to announce you can now use PowerShell to manage deployment of your Azure AD Application Proxy. This will allow you to deploy your on-premises applications more quickly and manage them more easily. For example, we know many of you are deploying tens of Application Proxy applications and want to automate the...

On Wednesday we announced that the Microsoft Intune APIs being surfaced through Microsoft Graph have been moved from “preview” to Generally Available. We are really excited about this milestone, and we look forward to learning how to make it even better as you give us feedback and direction on the way you want to use...

Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsoft’s technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a...

Late last week, I wrote about the remarkable quarter-century milestone reached by ConfigMgr, and today I wanted to dive even deeper into the backstory of this incredible product, share a couple announcements, and debut an awesome new documentary (lookout Sundance!) which offers an in-depth look at the genesis and growth of the product that created...

Organizations are pushing forward in their digital transformations and we continue to see and hear more about what this shift means for IT. The scope of digital transformation goes beyond moving existing work to the cloud and enabling a more mobile workforce. It brings the opportunity to reimagine business from the ground up – from...